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We  survey  some  current  research  concerning  the  generation  of  random  and  pseu¬ 
dorandom  keystreams  for  use  in  cryptographic  stream  ciphers,  including  the  use  of 
chaotic  discrete  dvnamical  svstems. 


1  Introduction 


Communications  security  is  vita]  in  the  information  age.  For  this  reason.  cryptography  (the 
branch  of  cryptology  dealing  with  the  making  of  secure  cipher  systems;  the  other  branch, 
cryptanalysis,  attempts  to  break  such  systems)  is  no  longer  of  concern  only  to  the  govern¬ 
ment.  but  also  to  private  industry.  Simple  cipher  systems  such  as  those  in  [Sinkov]  are 
easily  broken  today,  if  not  by  ingenuity  then  by  brute  force  computer  attacks  [Bamford]: 
more  sophisticated  methods  are  therefore  necessary.  One  cipher  system  used  when  security 
is  essential  (e.  g.,  the  "hot  line"  connecting  the  Pentagon  to  Moscow  [Kahn])  is  the  one-time 
pad,  or  random  Vernam  cipher.  Consider  a  message  P  to  be  encrypted;  P  is  called  the 
plaintext.  We  begin  by  converting  P  to  binary  form,  say  by  using  the  ASCII  code.  The 
encoded  plaintext  is  a  binary  string  5  of  some  length  A’.  We  now  generate  a  bitstring  R  of 
length  JV,  the  entries  of  which  are  chosen  uniformly  and  independently  from  {0. 1};  that  is. 
R  is  a  “random"  bitstring  (called  the  keystream).  The  enciphered  message,  or  ciphertext 
(C),  is  formed  as  the  bitwise  exclusive-or  of  5  and  R. 

C  =  S  +  R  (mod  2) 

where  the  sum  is  formed  bit-by-bit.  The  ciphertext  C  may  now  be  transmitted,  and  the 
receiving  party  may  recover  S  as 


5  =  C  —  R  ( mod  2) 
=  C  ±  R  i  mod  2 ) 
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(bitwise)  since  subtraction  is  the  same  as  addition  in  binary  arithmetic.  Then  5'  can  be 
decoded  to  P  using  the  original  binary  coding  system. 

This  method  is  provably  secure  [Shannon]  but  has  several  drawbacks.  First,  generatme 
truly  random  bits  is  a  time-consuming  and  difficult  process.  Second,  the  one-time  pad 
sequence  R  is  as  long  as  the  (encoded  form  of  the)  message;  this  sequence  must  be  known  to 
both  the  sender  and  the  receiver,  creating  serious  logistical  problems.  Although  this  is  done 
for  sufficiently  sensitive  material  [Bamford],  for  less  sensitive  materia!  an  additive  stream 
cipher  is  often  employed.  Here  the  random  bitstring  R  is  replaced  by  a  pseudorandom 
bitstring  generated  by  some  method  (commonly  a  linear  shift  register;  see  section  3).  In 
this  case  a  small  key  of  fixed  length  (the  seed  of  the  pseudorandom  number  generator)  is  all 
the  information  required  to  generate  the  enciphering  sequence  of  length  A .  It  might  seen: 
apparent  that  this  system  inherits  the  known  security  of  the  random  Vernam  cipher,  but 
this  depends  on  the  quality  of  the  pseudorandom  number  generator.  We  will  discuss  several 
measures  of  pseudorandomness  in  the  next  section. 

Before  doing  so,  however,  we  mention  another  way  to  shorten  the  keylength  [Maurer  1\ 
Consider  a  large,  publicly  available  list  of  truly  random  bits-a  list  much  larger  than  any 
message  which  might  be  sent.  Arrange  it  into  K  rows  and  T  columns  (so  that  there  are  a 
total  of  KT  bits  in  the  list).  Once  again  we  will  form  our  ciphertext  C  from  the  encoded 
form  5  (of  length  .V)  of  our  plaintext  P  by 

C  —  P  4-  H'  (mod  2 1 

(bitwise),  where  IF  is  a  “random"  bitstring  chosen  from  the  list  as  follows.  We  select  a  secret 
key.  known  only  to  the  sender  and  the  i  intended)  recover.  This  key  is  a  A'-vector.  with  each 
entry  an  integer  chosen  from  {1.  •  • .  7'}.  For  each  of  the  K  rows  of  the  list  of  random  bits, 
the  corresponding  element  of  the  key  specifies  a  column.  Beginning  with  this  column,  we 
take  the  first  .V  bits  in  that  row  and  form  a  binary  sequence  u\  for  i  =  1.  •  •  •  .  I\  (wrapping 
around  to  the  first  entry  of  the  row  if  we  reach  its  end).  Then 

H’  =  uq  +  •••-*-  u\  i. mod  2 ) 

(bitwise)  is  the  desired  kevstream.  This  cipher  system  is  strongly-randomized  and  require^ 
a  key  of  fixed  length,  but  the  logistics  of  generating  and  maintaining  the  public  table  may 
make  this  scheme  impractical. 


2  Pseudorandom  Bitstreams 

Now  we  consider  the  problem  of  generating  a  pseudorandom  kevstream  R  for  use  in  an 
additive  stream  cipher.  What  properties  should  such  a  bitslring  have?  There  is  no  universal 
agreement.  However,  it  seems  desirable  that  the  bitstring  be  balanced,  that  is.  have  roughly 
the  same  proportion  of  ones  and  zeroes.  If  not.  an  enemy  cryptanalyst  could  simply  guess 
that  the  kevstream  was 


R=  {1.1.1.  •••.!} 


(or,  alternatively,  all  zeroes)  and  have  a  fair  chance  of  reading  at  least  part  of  the  message  By 
extension,  the  sequence  should  probably  have  balanced  runs,  that  is,  all  binary  subsequences 
of  length  n  <  N  should  appear  equally  often  (roughly).  For  example,  the  keystream 

R  =  {0.1, 0,1,  -, 0.1} 

is  balanced,  but  since  the  only  runs  of  length  two  that  appear  are  the  subsequences  {0. 1} 
and  {1,0},  the  cryptanalyst  has  an  edge. 

In  addition,  prediction  of  the  sequence  from  a  small  part  of  it  should  be  difficult  (for 
someone  without  knowledge  of  the  underlying  generator,  of  course).  The  next  bit  test 
[Schrift]  requires  that  prediction  of  the  next  bit  in  a  sequence  from  the  previous  bits  be 
not  significantly  better  than  50%  successful.  A  more  common  means  of  achieving  the  goai 
of  unpredictability  is  to  require  that  the  autocorrelation  of  the  proposed  keystream  be  small 
for  nonzero  lags.  In  particular,  the  widelv-used  Golomb  postulates  state  that  a  sequence  is 
pseudorandom  if  it  is  balanced,  has  good  runs  properties,  and  has  a  small  autocorrelation. 
What  is  meant  by  '‘good71  and  “small"  depends  on  the  application  and  the  degree  of  security 
needed. 

There  are  a  variety  of  other  measures  of  pseudorandomness  in  use.  including  the  notions 
of  per  bit  entropy,  Maurer's  universal  statistical  test  [Maurer  2;  and  many  more.  h.  *!.e 
next  section  we  discuss  one  final  test,  the  linear  complexity  profile. 


3  Linear  Shift  Registers 

One  of  the  most  common  methods  of  generating  pseudorandom  sequences  used  in  practice 
is  the  linear  shift  register.  An  n-stage  linear  shift  register  is  the  electronic  implementation 
of  an  nth  order  recurrence  relation  of  the  form 

r,  =  o,r._, -y  a2r,_;  - - !-  anr,_n  (3  1 

where  Qj.  •  ■  •  ,an  are  chosen  from  {0, 1 }.  and  the  initial  fill  {r0.  •  •  • .  r„_, }  (a  binary  sequence 
of  length  n.  not  consisting  entirely  of  zeroes j  is  given.  For  example,  the  recurrence  relation 

r,  =  r,_ 2  A-  r,_3  '3.2 

can  easily  be  implemented  as  a  linear  shift  register  [Heyman  1],  If  the  initial  fill  is  {1.0.0}. 
i.  e. 


ra  =  1 

ri  =  0 

r2  =  0 


then  the  successive  iterates  can  be  computed  from  the  formula  (3.2)  as 


1 

r2  -f  r ! 

0^0 
0 

r3  +  r2 
1  +  0 
1 

and  so  on.  The  sequence  { r-0,  ri,  r2,  r3,  •  -  •}  generated  by  this  method  is 

{1,0,0, 1,0, 1,1, (3.3 ' 

where  the  seven  bits  indicated  repeat  periodically.  Although  this  may  seem  undesirable  at 
first,  it  is  the  best  possible  result.  To  see  this,  note  that  in  the  formula  (3.2)  each  new  iterate 
is  determined  by  the  three  preceding  iterates,  and  hence  the  sequence  must  repeat  as  soon 
as  a  three-tuple  is  repeated.  As  there  are  only  seven  possible  nonzero  three-tuples  in  this 
case  (the  three-tuple  {0.0,0}  would  lead  to  an  infinite  sequence  of  zeroes,  which  is  not  very 
pseudorandom),  and  all  are  present  in  the  sequence  (3.3)  (when  repeated  periodically),  the 
sequence  must  begin  to  repeat  itself.  More  generally,  an  nth  order  recurrence  relation  of  the 
form  (3.1)  leads  to  a  binary  sequence  which  is  periodic  with  period  at  most 

2n  -  1 

and  possibly  less.  By  associating  with  the  formula  (3.1)  a  characteristic  polynomial  'in 
the  usual  way),  it  is  possible  to  characterize  those  linear  shift  registers  that  give  rise  to 
sequences  of  maximal  period  (called  m-sequences).  These  full  length  shift  registers  are  the 
ones  employed  in  practice.  In  addition  to  having  maximal  period,  it  follows  that  in  an 
m-sequence  all  n-tuples  appear  exactly  once  (except  for  the  n-tuple  of  all  zeroes). 

Now  suppose  that  one  is  confronted  with  a  binary  sequence  of  length  N  which  is  known 
to  have  been  generated  by  an  n-stage  linear  shift  register.  It  would  appear  from  (3.1)  that 
any  subsequence  of  2n  consecutive  bits 

{60.  •  •  • ,  b 2„— i } 

could  be  used  to  set  up  a  linear  system  in  the  unknown  coefficients  {qj,  •  •  •  ,an} 

bn  =  Q\bo  +  o2b^  +  •  •  •  +  ocnbn- i 

bn+\  —  +  Q2&2  +  ■  •  •  +  On  bn 

=  Ql^n-1  +  02bn  +  •  •  ■  +  Q„62„_2 

which  might  then  be  solved,  giving  the  recurrence  relation.  In  practice,  the  Berlekamp- 
Massey  [Massey]  algorithm,  or  a  variant,  is  used.  This  method  does  not  attempt  to  solve 
the  system  given  above  but  instead  finds  the  coefficients  in  a  recurrence  relation  that  could 


rA  = 


rs  = 
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have  been  used  to  generate  the  sequence;  if  the  sequence  in  question  is  not  an  m-sequence, 
the  recurrence  relation  generated  by  the  Berlekamp-Massey  algorithm  may  be  of  lower  order 
than  the  one  actually  used  to  generate  the  sequence  in  the  first  place.  The  order  of  the 
recurrence  relation  found  by  this  algorithm  is  called  the  linear  complexity  of  the  sequence, 
and  a  higher  linear  complexity  generally  indicates  a  greater  degree  of  pseudorandomness. 

Although  m-sequences  have  many  interesting  and  desirable  properties  (not  all  of  which 
can  be  mentioned  here),  including  good  autocorrelation  properties,  we  mention  some  draw¬ 
backs.  First,  notice  that  an  n-stage  linear  shift  register  produces  a  sequence  whose  period  is 
bounded  in  terms  of  n.  Second,  the  sequence  can  be  completely  simulated  from  the  knowl¬ 
edge  of  only  2 n  bits.  Of  course,  these  2n  pseudorandom  bits  are  masked  in  the  ciphertext  by 
the  message,  just  as  the  message  is  masked  by  the  keystream,  and  so  finding  such  a  string  of 
bits  generally  requires  some  extra  information  (knowledge  of  a  small  part  of  the  plaintext, 
for  example).  Finally,  consider  the  sequence  (of  length  N) 

{0,0,0, •••,0,1}  (3.4) 

i.e.  all  zeroes  except  for  the  last  bit.  Since  this  is  an  .V-tuple,  but  not  a  p-tuple  for  p  <  A',  the 
linear  complexity  of  this  sequence  is  A’.  Hence  a  very  “bad”  sequence  can  have  arbitrarily 
high  linear  complexity  (m-sequences  do  not  possess  this  problem). 

One  means  of  detecting  sequences  such  as  (3.4)  is  the  linear  complexity  profile  [Rueppelj. 
Given  a  binary  sequence  of  length  A',  we  plot  the  linear  complexity  of  the  leading  subse¬ 
quence  of  length  i,  Lu  versus  i(i  =  1,  •  •  • .  Ar).  The  sequence  {L\,  •  •  • ,  is  a  nondecreasing 
sequence  of  nonnegative  integers.  For  a  “good"  sequence,  the  leading  subsequences  should 
have  linear  complexity  near  i/2  (since  the  first  i  points  could  be  used  to  determine  a  recur¬ 
rence  relation  of  order  i/2).  For  the  sequence  (3.4).  the  linear  complexity  profile  would  be 
flat  until  the  last  element  (L,  =  0,  i  =  1,  •  •  •  A’  -  1),  which  would  then  jump  up  to  the  linear 
complexity  of  the  sequence  {Ly  =  N).  This  does  not  follow  the  line  with  slope  1/2  and 
hence  would  not  be  considered  a  "good”  sequence. 

Related  to  the  linear  complexity  profile  is  the  jump  complexity  profile  [Niederreiterj.  For 
i  =  1,  •  •  ■ ,  A',  we  form  the  first  difference  of  {L\,  •  •  •  and  define  the  jump  complexity 
profile  P,  to  be  the  number  of  positive  integers  (the  “jumps”)  in  the  vector  of  differences.  It 
is  immediate  that  Pi  <  Li,  and  for  a  “good”  sequence  it  can  be  shown  that  P,  should  follow 
the  line  with  slope  1/4  when  plotted  versus  i(i  =  !,•••, A’). 


4  Cryptographically  Strong  Sequences 

Are  m-sequence  pseudorandom?  In  a  sense,  they  offer  almost  too  much  regularity  to  appear 
random.  However,  they  seem  to  have  all  the  properties  we  might  desire  in  a  keystream- 
balance,  balanced  runs,  good  autocorrelation,  optimal  linear  complexity  with  a  good  linear 
complexity  profile,  and  period  length  that  can  be  made  as  large  as  desired.  In  this  sense 
they  are  quasirandom,  that  is,  random  enough  for  our  purposes.  Of  course,  all  we  re¬ 
ally  are  interested  in  is  a  sequence  which  will  give  a  cipher  that  is  as  difficult  to  break  as 
possible-pseudorandomness  is  merely  the  most  obvious  method  of  finding  such  sequences. 
In  a  cryptographic  setting,  we  generally  speak  of  a  keystream  as  being  cryptographically 
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strong  if  it  would  make  a  agood"  keystream,  in  a  sense  that  is  rarely  made  precise:  general;;., 
pseudorandomness  is  a  major  aspect  of  cryptographic  strength. 

There  is  another  pragmatic  consideration  in  choosing  a  keystream:  errors.  Because  of 
the  possibility  of  transmission  errors,  the  encoding  used  to  transfosrm  the  plaintext  to  its 
binary  form  S  often  includes  some  redundancy  so  that  the  code  can  be  error-correcting.  For 
sufficiently  short  messages,  the  entire  plaintext  may  be  encoded  an  odd  number  of  times 
and,  in  the  event  of  discrepancies  between  the  various  copies  of  the  message,  the  majority 
rules.  Other  more  sophisticsated  methods  are  often  used. 

However,  keystream  errors  can  also  occur.  For  this  reason  (among  others),  the  notion 
of  F-complexity  has  been  proposed  by  [Stamp].  Since  the  term  ^-complexity  is  also  used 
in  another  context  in  cryptography  (namely,  in  describing  certain  nonlinear  shift  registers  . 
we  will  use  the  term  linear  komplexity  (of  order  k)  instead.  For  a  given  sequence  R.  the 
komplexity  of  order  k  is  defined  as  the  smallest  linear  complexity  of  all  sequences  which 
differ  from  R  in  at  most  k  places,  which  can  be  interpreted  as  the  worst  case  result  of  at 
most  k  errors  occurring  in  the  keystream  sequence.  For  example,  sequence  (3.4)  has  linear 
komplexity  (or  complexity  of  order  zero)  .V.  but  the  komplexity  of  order  one  is  clearly  zeru. 
since  changing  a  single  bit  (the  final  one)  gives  the  sequence 


{0.0.0.  ■  ■  •  .0} 


which,  by  convention,  has  linear  complexity  zero  (the  lowest  possible).  Hence  this  keystream 
is  not  safe  with  respect  to  transmission  errors.  Another  interpretation  is  to  say  that  the 
komplexity  of  order  one  has  detected  the  weaknesses  that  would  have  be*-:.  seen  in  the  linear 
complexity  profile. 

More  generally,  a  linear  komplexity  profile  can  be  created.  The  example  (of  length  A 


{l.i.i.  -  .i) 


(which  has  unit  linear  complexity  but  can  be  made  into  a  sequence  of  zero  linear  complexity 
with  exactly  A  changes)  shows  that  the  komplexity  of  order  k  should  be  computed  for 
k  —  0.---..Y  (unless  it  should  reach  zero  before  then).  However,  at  most  ,V/2  changes  can 
always  give  a  sequence  of  all  ones  or  all  zeroes  (by  changing  w-hichever  there  are  fewer  of  in 
the  sequence-onec  or  reroes).  and  so  the  height  of  the  profile  is  at  most  unity  for  values  above 
N/ 2.  and  therefore  not  especially  interesting.  The  linear  kompiexity  profile  may  be  viewed 
in  two  ways.  First,  a  sharp  drop  for  small  k  indicates  a  cryptographically  weak  sequence  l  as 
a  relatively  small  shift  register  will  approximate  the  sequence  in  all  but  k  places).  Second,  if 
the  number  of  potential  transmission  errors  can  be  estimated,  then  the  resulting  worst  case 
linear  complexity  can  be  checked  for  acceptability. 


5  Chaotic  Keystream  Generation  Schemes 

Linear  shift  registers  are  commonly  used  for  the  generation  of  keystream  sequences  'generally 
with  their  output  further  scrambled  by  a  nonlinear  Boolean  function  before  being  used  in 
the  cipher).  However,  their  fixed  maximal  period  (for  a  given  number  of  stages)  and  the  far 
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that  they  can  be  perfectly  simulated  from  a  relatively  small  number  of  bits  of  pure  keystream 
(2.V  for  an  .V-stage  register,  using  the  Berlekamp- Massey  algorithm!,  are  causes  for  concern 
For  this  reason  it  is  important  to  investigate  other  methods  of  running  keystream  generation 
An  obvious  choice  for  such  a  generator  is  a  chaotic  recurrence  relation.  One  investigation  of 
such  a  scheme  is  reported  in  [Forrej.  who  used  the  Henon  map  [Henon] 

in+1  =  1  -  1.4t*  +  y„ 

J/n-t-1  —  3t/n 

(where  (x0.j/o)  may  be  chosen  anywhere  in  a  certain  quadrilateral  which  includes  the  origin' 
as  the  basis  of  such  a  scheme.  Her  approach  was  to  consider  the  strange  attractor  (Fig  1  ■ 
generated  by  the  map  (independent  of  the  initial  condition  (xo.t/o))  and  to  estimate  the 
median  of  the  abscissas  of  the  orbits  of  the  Henon  map  on  this  attractor  (note  that  this  is 
different  from  the  median  of  the  x-values  of  the  attractor).  A  more  accurate  investigation 
of  this  scheme  was  carried  out  in  [Heyman  1].  where  it  was  determined  experimental’y  that 
the  median  x  -value  of  an  orbit  on  the  attractor  is 

x  =  .4Q9S 

independent  of  the  initial  condition.  We  now  choose  an  initial  condition  and  iterate  the- 
Henon  map.  giving  the  orbit 


(•Tl.yi  1.  (  X;.  (x3 .  !/:  '  • 

and  we  generate  a  corresponding  binary  sequence  by  using  the  median  value  as  a  split  po:r.’ 
(Fig.  2).  i.  e. 

/?,  =  (*  lf  x'  -  1  : 

(  0  otherwise 

giving  a  binary  sequence  R.  called  a  binary  Henon  sequence.  Heyman  has  shown  (experimen¬ 
tally)  that  such  sequences  have  extremely  long  periods  (as  might  be  expected  from  a  chaotic 
map),  are  balanced,  and  have  good  autocorrelation  properties  and  linear  complexity  profile 
However,  as  noted  also  by  Forre.  the  runs  are  poorly  balanced;  subsequences  containing  pr; 
marily  alternating  patterns  of  zeroes  and  ones  tend  to  occur  noticeably  more  frequently  than 
those  containing  longer  runs  of  all  zeroes  or  all  ones  (although  runs  of  consecutive  ones  as 
long  as  23  have  been  found  by  this  author).  In  fact.  [Fontana]  has  shown  that  the  four-tuple 

{1. 1.0.0} 

can  never  occur  with  this  split  point  (and  eight  of  the  thirty-two  possible  five-tuples  are  unre¬ 
alizable,  including  the  five-tuple  of  all  zeroes).  Despite  the  attractiveness  of  the  higH  periods, 
this  is  enough  to  rule  out  Henon  generated  keystreams.  Preliminary  work  indicates  that  using 
a  single  split  as  in  (5.1)  on  other  two-dimensional  maps  possessing  strange  attractors  lead' 
to  similarly  decimated  n-tuple  profiles,  even  for  relatively  small  values  of  n  [Leader;.  This 
is  unacceptable  for  cryptographic  purposes;  however,  since  a  chaotic  map  must  be  home- 
omorphic  to  the  shift  map  on  two  symbols  [Devaneyj.  there  must  be  a  way  of  converting 


f 


the  dynamical  sequence  into  a  binary  sequence-namely.  the  topological  conjugacy-such  ’hat 
perfect  balancing  of  the  runs  is  obtained.  Evidently  (5.1;  is  not  such  a  homeomorphisrn. 
despite  its  suggestive  similarity  to  the  topological  conjugacy  used  to  conjugate  the  quadratic 
map  to  code  space  [Devaneyj. 

The  logistic  equation,  a  chaotic  map,  was  one  of  the  first  computer  pseudorandom  num¬ 
ber  generators  ever  used  (Peitgenj,  and  research  continues  on  the  possible  use  of  chaotic 
dynamical  system  as  pseudorandom  bit  generators.  Other  nonstandard  (and  nonchaotio 
methods  of  ;  .udorandom  number  generation  are  being  investigated  as  well  [Nisan]. 

6  Conclusions 

In  cryptography  as  well  as  in  other  areas  (such  as  simulation),  there  is  a  need  to  produce 
large  numbers  of  pseudorandom  numbers  quickly  and  without  certain  statistical  defects  The 
particular  criteria  to  be  met  depend  on  the  application  but.  in  cryptography,  generallv  in¬ 
clude  balance,  balanced  rurs,  good  autocorrelation  properties,  and  a  good  linear  complex: v. 
profile;  a  large  period  is  also  desirable.  Linear  shift  registers  are  the  most  commonly  iwd 
method  (generally  in  conjunction  with  a  nonlinear  Boolean  function  to  further  mask  the 
output),  but  they  have  certain  drawbacks.  Chaotic  discrete  dynamical  systems  appear  to 
offer  an  interesting  alternative,  but  more  work  is  necessary  in  this  area.  Initial  mvestisat .om 
indicate  potential  problems  (the  balancing  of  the  n-tuples.i  but  also  potential  pavoffs  -  the 
high  periods  and  the  nonlinearity,  a  defense  against  linear  attacks).  In  Tqvman  2'  evidence 
is  presented  that  a  simple  artificial  neural  network  can  identify  the  type  of  keystream  used 
(linear  shift  register  vs.  Henon  vs.  linear  congruentia!  pseudorandom  number  generators  as 
well  as  simulate  a  linear  shift  register  (in  the  fashion  of  Berlekamp-Massey.  although  us¬ 
ing  more  bits',  and  effectively  predict  the  next  Henon  bit  at  about  709$  accuracy,  violating 
the  next-bit  test.  This  research  highlights  additional  weaknessess  of  both  the  linear  and 
nonlinear  methods:  however,  the  fact  that  the  neural  net  completely  simulates  ii.  e.  giv<-s 
perfect  prediction  fori  the  shift  register  but  is  imperfect  for  the  Henon  method  shows  another 
advantage  of  the  chaotic  keystream  generator  < at  least  for  this  type  of  attack  ■. 
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